Effects of Processing Delay on Function-Parallel Firewalls

R.J. Farley and E.W. Fulp (USA)


Interconnection Networks, Security, Parallel ComputingSystems.


Comprehensive security policies are an integral part of cre ating a secure network and commonly firewalls are used to accomplish this. Firewalls inspect and filter traffic arriving or departing a network by comparing packets to a set of rules and performing the matching rule action, which is ac cept or deny. Unfortunately, traffic inspection of this type can impose significant delays on traffic due to the complex ity and size of policies. Therefore, improving firewall per formance is important, given the next generation of high speed networks. This paper investigates the performance of a function parallel firewall architecture that distributes the original policy across an array of firewalls. A packet is processed by all the firewalls simultaneously and a gate then makes a final decision (accept or deny) based on the results of the in dividual firewalls. Since the individual firewalls have fewer rules to process (only a portion of the original policy), the function parallel system has lower delays (e.g. 74% lower for a four firewall array) and a higher throughput than other data parallel (load-balancing) firewalls. However, the per formance increase is dependent on the speed of the gate. The potential speed increase and the impact of the gate will be demonstrated empirically.

Important Links:

Go Back